Move enabling security to WebGoat core and add resetting the lessons.

We can use it for more lessons and showcase how to apply security directly from the source code. Resolves: #1176
2021-12-19 14:35:14 +01:00
parent 705ec85f35
commit ac4b06f11b
10 changed files with 60 additions and 103 deletions
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
@ -6,57 +6,28 @@

 package org.owasp.webgoat.service;

+import lombok.RequiredArgsConstructor;
+import org.owasp.webgoat.i18n.Messages;
+import org.owasp.webgoat.session.WebSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;

-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Date;
-import java.util.Enumeration;
-import java.util.List;
-
-/**
- * <p>SessionService class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
@Controller
+@RequiredArgsConstructor
 public class SessionService {

-    /**
-     * Returns hints for current lesson
-     *
-     * @param session a {@link javax.servlet.http.HttpSession} object.
-     * @param request a {@link javax.servlet.http.HttpServletRequest} object.
-     * @return a {@link java.lang.String} object.
-     */
-    @RequestMapping(path = "/service/session.mvc", produces = "application/json")
-    public @ResponseBody
-    String showSession(HttpServletRequest request, HttpSession session) {
-        StringBuilder sb = new StringBuilder();
-        sb.append("id").append(" = ").append(session.getId()).append("\n");
-        sb.append("created").append(" = ").append(new Date(session.getCreationTime())).append("\n");
-        sb.append("last access").append(" = ").append(new Date(session.getLastAccessedTime())).append("\n");
-        sb.append("timeout (secs)").append(" = ").append(session.getMaxInactiveInterval()).append("\n");
-        sb.append("session from cookie?").append(" = ").append(request.isRequestedSessionIdFromCookie()).append("\n");
-        sb.append("session from url?").append(" = ").append(request.isRequestedSessionIdFromURL()).append("\n");
-        sb.append("=====================================\n");
-        // get attributes
-        List<String> attributes = new ArrayList<String>();
-        Enumeration keys = session.getAttributeNames();
-        while (keys.hasMoreElements()) {
-            String name = (String) keys.nextElement();
-            attributes.add(name);
-        }
-        Collections.sort(attributes);
-        for (String attribute : attributes) {
-            String value = session.getAttribute(attribute) + "";
-            sb.append(attribute).append(" = ").append(value).append("\n");
-        }
-        return sb.toString();
+    private final WebSession webSession;
+    private final RestartLessonService restartLessonService;
+    private final Messages messages;
+
+    @RequestMapping(path = "/service/enable-security.mvc", produces = "application/json")
+    @ResponseBody
+    public String applySecurity() {
+        webSession.toggleSecurity();
+        restartLessonService.restartLesson();
+
+        var msg = webSession.isSecurityEnabled() ? "security.enabled" : "security.disabled";
+        return messages.getMessage(msg);
    }
 }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
@ -5,8 +5,6 @@ import org.owasp.webgoat.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;

 import java.io.Serializable;
-import java.sql.Connection;
-import java.sql.SQLException;

 /**
 * *************************************************************************************************
@ -39,9 +37,10 @@ import java.sql.SQLException;
 */
 public class WebSession implements Serializable {

-	private static final long serialVersionUID = -4270066103101711560L;
-	private final WebGoatUser currentUser;
-    private Lesson currentLesson;
+    private static final long serialVersionUID = -4270066103101711560L;
+    private final WebGoatUser currentUser;
+    private transient Lesson currentLesson;
+    private boolean securityEnabled;

    public WebSession() {
        this.currentUser = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
@ -73,4 +72,12 @@ public class WebSession implements Serializable {
    public String getUserName() {
        return currentUser.getUsername();
    }
+
+    public void toggleSecurity() {
+        this.securityEnabled = !this.securityEnabled;
+    }
+
+    public boolean isSecurityEnabled() {
+        return securityEnabled;
+    }
 }
--- a/webgoat-container/src/main/resources/i18n/messages.properties
+++ b/webgoat-container/src/main/resources/i18n/messages.properties
@ -60,4 +60,6 @@ not.empty=This field is required.
 username.size=Please use between 6 and 10 characters.
 username.duplicate=User already exists.
 password.size=Password should at least contain 6 characters
-password.diff=The passwords do not match.
+password.diff=The passwords do not match.
+security.enabled=Security enabled, you can try the previous challenges and see the effect!
+security.disabled=Security enabled, you can try the previous challenges and see the effect!